Review: Symantec Endpoint Protection 11

According to most industry comparative sources, two of the top 10 enterprise antivirus products are EndPoint Protection by Symantec (SEP) and NOD32 by Eset. These products often occupy the top two positions, again depending on your source. Av-comparatives.org gave its product of the year award to Symantec for 2009 and NOD32 has earned back-to-back VB100 awards since 2002. Personally, I have been well protected using SEP, formerly SAVCE (Symantec Antivirus Corporate Edition), for over a decade but am always open to better solutions if they exist. NOD32 is well-known on the internet by PC-enthusiasts as a purportedly bullet-proof AV scanner, so the enterprise solution must be as equally impressive right? I decided to find out. Having recently gone through a new enterprise antivirus rollout, I thoroughly vetted Nod32 v4 and SEP 11. I’ll share my review of NOD32 for the enterprise in another posting.

First up the incumbent, SEP, which has seen many changes since the days I first started using SAVCE, back when client management was NetBIOS dependent. AD-integration is now seamless, Server 2008 R2/ Windows 7 are fully supported, and the legacy requirements of WINS are long gone. Installation of the the management server piece is still as easy as it was years ago, all controlled from a single media source where the client bits also live. Setup allows you to launch the server or client installs from the installation media. Simple.

The SEP manager component is web-based now with a Java front end so you will need to install the JRE on your server. The manager runs happily in IIS which will be configured for you during setup, assuming you have the role and requisite services installed.

By default the server is setup to use tcp/8443 for the server port and tcp/9090 for the web console port. 8443 is what is used when logging into the manager console itself while 9090 hosts links and the download for the Manager console.

Once logged in, you are immediately presented with a well laid out dashboard that includes risk detections, client definition status, as well as the current Symantec ThreatCon level and links to pertinent info.

Let’s start at the bottom with the Admin tab and work up. Here you choose which components to work with, assigning admin rights, domain and server management, and manipulation of installation packages. In the domains section, by default, there is only a single domain defined called Default. Any deployment packages you created during the server install will assign clients here. You can manage multiple domains if you have a disparate environment but if not I recommend you disable the Default domain and add your own right away. To switch between domains you need to select the domain at the top and click the Administer Domain button down below. Now only the clients and policies assigned to the active domain will be displayed under those tabs. If you need to move clients between management domains at some point you can either uninstall/reinstall the client that points to the correct domain, or run the sylink drop tool which can move an existing client from one domain to another. If you use AD-integration your clients will show up only in their real OUs on the Clients tab.

Also within the Admin tab you can set the console administrators, control SEP server options like mail and directory servers, and create client install packages. Install packages consist of 3 main parts:

Install feature set: which components of the client to actually install

Once the install settings and feature sets are defined, custom clients can be pushed from the console or migration wizard, or exported from the install packages screen.

On the clients tab you will see any non-AD SEP folders you created as well as the currently active domain under My Company. The functionality here is logical but not as useful as it could be. There is no consolidated client view here, you have to drill down into each OU to see your clients or run a “search clients” operation to pull the entire list broken out into several pages. Green bubbles mean that a client is online and communicating with the server. Important to note is that if a client is a member of the actively managed domain, it cannot live outside this structure in a non-AD SEP group.

The policies client tab show everything active for a given container. Here you can see that all policies are inherited and which are currently applied to this OU.

Important to note here is the “Communications Settings” button whose contents are inherited from the parent My Company. At the parent level you can change the method in which clients communicate with the server. By default Push mode is used which keeps an open channel between clients and the management server so that policy changes can be quickly propagated. Running a netstat –an on the management server will reveal every open TCP session to all connected clients.

The policies tab provides access to control policies for all installed components in your client. Multiple policies can be created and assigned at different levels either to local SEP groups or OUs in your AD. LiveUpdate is set to run on the management server every 4 hours by default but make sure to assign a LU policy to your clients.

All fields in each component of the client can be clearly and easily set in a policy along with line item lockout so the item can’t be changed by the end-user. This is extremely straight forward, as it should be.

Centralized exceptions can be set either through administrative policy or as user-defined. We obviously don’t want users excluding potentially unsafe items so you can lock them out from this. In previous builds of SEP you could open the AV client on a user’s PC and see the admin-defined exceptions but this has since been removed, by customer request according to Symantec. You have to look at the policy serials numbers, as reported by your clients, and trust that these exceptions are making it in as all that is visible from the client is the user defined exceptions.

Reporting is robust, beautiful and can be created ad-hoc or on scheduled a basis. Detailed break-outs of risks, compliance, and status (among others) are all available.

Environment monitoring is further detailed in the Monitors tab which provides summary pie charts, access to logs, the status of any commands issued in the console, and notification options. Every condition you would expect to want to be notified about is available and configurable here.

Add-on security components like firewalls and heuristic scanning usually result in problems so I don’t install anything but anti-virus and malware protection in my environments. There are posts all over the internet of people looking for help on how to remove these products and clean up from their aftermath.

All things considered I give SEP 11 a solid 9 for the enterprise. It works exactly how I expect my corporate AV solution to. Despite a few configuration items being somewhat hard to find and buried in the GUI, the functionality is fantastic and features a true “set it and forget it” type of system. The architecture features classic web and data tiers for management and a full featured client capable of much more than I will use it for. Client management, reporting and alerting are robust which are absolute requirements. It would be nice if there was a consolidated client view that displays all clients and their status regardless of which OU they live in. Currently you have to either drill into each OU or run a search. Either way is functional but undesirable. It would also be nice to be able to optionally view administratively-defined centralized exceptions on the clients themselves.